diff --git a/roles/kube-master/defaults/main.yml b/roles/kube-master/defaults/main.yml index 9f73ab4..d1110aa 100644 --- a/roles/kube-master/defaults/main.yml +++ b/roles/kube-master/defaults/main.yml @@ -9,8 +9,10 @@ MASTER_CERT_HOSTS: #- "61.182.11.41" #- "www.test.com" -# apiserver 基础认证(用户名/密码)配置 -# 在 master 节点文件‘/etc/kubernetes/ssl/basic-auth.csv’ 可以查看密码 -BASIC_AUTH_ENABLE: "no" # 是否启用 yes/no -BASIC_AUTH_USER: "admin" -BASIC_AUTH_PASS: "_pwd_" # BASIC_AUTH_PASS 初次运行时会被随机密码覆盖 +# apiserver 基础认证(用户名/密码)配置,详见 master 节点文件‘/etc/kubernetes/ssl/basic-auth.csv’ +# 是否启用基础认证 yes/no +BASIC_AUTH_ENABLE: 'no' +# 用户名: +BASIC_AUTH_USER: 'admin' +# 密码:初次运行时会生成随机密码 +BASIC_AUTH_PASS: '_pwd_' diff --git a/roles/kube-master/tasks/main.yml b/roles/kube-master/tasks/main.yml index 6d42edf..6a63bd2 100644 --- a/roles/kube-master/tasks/main.yml +++ b/roles/kube-master/tasks/main.yml @@ -105,14 +105,14 @@ tags: upgrade_k8s, restart_master - name: 配置{{ BASIC_AUTH_USER }}用户rbac权限 - template: src=admin-user-binding.yaml.j2 dest=/opt/kube/admin-user-binding.yaml + template: src=basic-auth-rbac.yaml.j2 dest=/opt/kube/basic-auth-rbac.yaml when: 'BASIC_AUTH_ENABLE == "yes"' delegate_to: "{{ groups.deploy[0] }}" run_once: true tags: restart_master - name: 创建{{ BASIC_AUTH_USER }}用户rbac权限 - shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/admin-user-binding.yaml" + shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/basic-auth-rbac.yaml" when: 'BASIC_AUTH_ENABLE == "yes"' delegate_to: "{{ groups.deploy[0] }}" run_once: true diff --git a/roles/kube-master/templates/admin-user-binding.yaml.j2 b/roles/kube-master/templates/basic-auth-rbac.yaml.j2 similarity index 90% rename from roles/kube-master/templates/admin-user-binding.yaml.j2 rename to roles/kube-master/templates/basic-auth-rbac.yaml.j2 index 5713a7a..4407c96 100644 --- a/roles/kube-master/templates/admin-user-binding.yaml.j2 +++ b/roles/kube-master/templates/basic-auth-rbac.yaml.j2 @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: admin-user-binding + name: basic-auth-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/tools/easzctl b/tools/easzctl index cb822d4..973c34e 100755 --- a/tools/easzctl +++ b/tools/easzctl @@ -9,13 +9,15 @@ set -o errexit function usage() { cat < context, or create it if not existed destroy To destroy the current cluster, with '--purge' option to also delete the context list To list all of clusters managed setup To setup a cluster using the current context start-aio To quickly setup an all-in-one cluster for testing (like minikube) -Commands 2 (in-cluster opration): + +In-cluster operation: add-etcd To add a etcd-node to the etcd cluster add-master To add a kube-master(master node) to the k8s cluster add-node To add a kube-node(work node) to the k8s cluster @@ -23,6 +25,9 @@ Commands 2 (in-cluster opration): del-etcd To delete a etcd-node from the etcd cluster upgrade To upgrade the k8s cluster +Extra operation: + basic-auth To enable/disable basic-auth for apiserver + Use "easzctl help " for more information about a given command. EOF } @@ -44,6 +49,9 @@ function help-info() { (clean-node) echo -e "Usage: easzctl clean-node \n\nread 'https://github.com/gjmzj/kubeasz/blob/master/docs/op/clean_one_node.md'" ;; + (basic-auth) + echo -e "Usage: easzctl basic-auth \nOption:\t -s enable basic-auth\n\t -S disable basic-auth\n\t -u set username\n\t -p set password" + ;; (*) usage return 0 @@ -298,6 +306,43 @@ function start-aio(){ setup } +### extra operation functions ################################### +function print-user-pass(){ + echo -e "\n[INFO]basic auth for apiserver enabled\n" + sed -n '/BASIC_AUTH_USER/p' $BASEPATH/roles/kube-master/defaults/main.yml + sed -n '/BASIC_AUTH_PASS/p' $BASEPATH/roles/kube-master/defaults/main.yml +} + +function basic-auth(){ + OPTIND=2 + while getopts "sSu:p:" OPTION; do + case $OPTION in + s) + grep BASIC_AUTH_ENABLE roles/kube-master/defaults/main.yml|grep yes > /dev/null && { print-user-pass; return 0; } + sed -i "s/BASIC_AUTH_ENABLE.*$/BASIC_AUTH_ENABLE: 'yes'/g" $BASEPATH/roles/kube-master/defaults/main.yml + ;; + S) + grep BASIC_AUTH_ENABLE roles/kube-master/defaults/main.yml|grep no > /dev/null && { echo -e "\n[INFO]basic auth for apiserver disabled\n"; return 0; } + sed -i "s/BASIC_AUTH_ENABLE.*$/BASIC_AUTH_ENABLE: 'no'/g" $BASEPATH/roles/kube-master/defaults/main.yml + ;; + u) + grep BASIC_AUTH_ENABLE roles/kube-master/defaults/main.yml|grep no > /dev/null && { echo -e "\n[INFO]basic auth for apiserver disabled\n"; return 0; } + sed -i "s/BASIC_AUTH_USER.*$/BASIC_AUTH_USER: '$OPTARG'/g" $BASEPATH/roles/kube-master/defaults/main.yml + ;; + p) + grep BASIC_AUTH_ENABLE roles/kube-master/defaults/main.yml|grep no > /dev/null && { echo -e "\n[INFO]basic auth for apiserver disabled\n"; return 0; } + sed -i "s/BASIC_AUTH_PASS.*$/BASIC_AUTH_PASS: '$OPTARG'/g" $BASEPATH/roles/kube-master/defaults/main.yml + ;; + ?) + help-info basic-auth + return 1 + ;; + esac + done + + ansible-playbook $BASEPATH/04.kube-master.yml -t restart_master +} + ### Main Lines ################################################## BASEPATH=/etc/ansible @@ -366,6 +411,12 @@ case "$1" in help-info $2 exit 0 ;; + ### extra operations ############################## + (basic-auth) + [ "$#" -gt 1 ] || { help-info $1; exit 2; } + ACTION="Action: enable/disable apiserver's basic-auth" + CMD="basic-auth $*" + ;; (*) usage exit 0